IP Source Guard Commands

This chapter contains the following sections:

ip source binding

To add a static IP source binding rule for all interfaces or for an interface, use the ip source binding Global Configuration mode command.

To delete a static IP source binding rule for all interfaces or for an interface, use the no form of this command.

Syntax

ip source binding MAC-Addr vlan VLAN-LIST IPv4-Addr interface interface-id

no ip source binding MAC-Addr vlan VLAN-LIST IPv4-Addr interface interface-id

Parameters

MAC-Addr—MAC address for IP source binding.

vlan VLAN-LIST—Specifies a VLAN ID or a range of VLAN IDs for IP source binding.

IPv4-Addr—IP address for IP source binding.

interface interface-id—Specifies an interface ID or a list of interfaces. The interfaces can be one of these types: Ethernet port or port channel.

Default Configuration

No IP source binding rule is configured.

Command Mode

Global Configuration mode

User Guidelines

A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead of creating a new one.

Example

switchxxxxxx(config)# ip source binding 00:aa:bb:cc:dd:ee vlan 7 192.168.1.50 interface fa1
switchxxxxxx(config)# ip source binding 00:bb:bb:cc:dd:ee vlan 7 192.168.1.60 interface gi1
switchxxxxxx(config)# ip source binding 00:cc:bb:cc:dd:ee vlan 10 192.168.1.90 interface po1

ip source binding max-entry

To set the maximum number of IP source binding rules on an interface, use the ip source binding max-entry Interface Configuration mode command.

Syntax

ip source binding max-entry {value | no-limit}

Parameters

value—The maximum number of binding entries. (Range: 1 to 50)

no-limit—Specifies no limit for this rule.

Default Configuration

The default is no limit.

Command Mode

Interface Configuration mode

Example

switchxxxxxx(config)# interface gi13
switchxxxxxx(config-if)# ip source binding max-entry 20

ip verify source

To enable IP source guard on an interface, use the ip verify source Interface Configuration mode command.

To disable IP source guard on an interface, use the no form of this command.

Syntax

ip verify source [mac-and-ip]

no ip verify source

Parameters

mac-and-ip—(Optional) Enables IP source guard with IP and MAC address filtering. If you do not enter the mac-and-ip keyword, IP address filtering is enabled by default.

Default Configuration

IP source guard is disabled.

Command Mode

Interface Configuration mode

User Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source Interface Configuration mode command.

To enable IP source guard with source IP and MAC address filtering, use the ip verify source mac-and-ip Interface Configuration mode command.

Example

switchxxxxxx(config)# interface gi13
switchxxxxxx(config-if)# ip verify source mac-and-ip

show ip source binding

To show information for all IP source binding rules defined on the switch, use the show ip source binding Privileged EXEC mode command.

Syntax

show ip source binding [dynamic | static]

Parameters

dynamic—(Optional) Displays information for IP source bindings that were learned by DHCP snooping.

static—(Optional) Displays information for static IP source bindings.

Command Mode

Privileged EXEC mode

User Guidelines

The show ip source binding command output shows all dynamic and static IP source binding entries in the binding database.

Example

switchxxxxxx# show ip source binding
Bind Table: Maximum Binding Entry Number 191
  Port  | VID  |    MAC Address    |       IP        |    Type     | Lease Time
--------+------+-------------------+-----------------+-------------+-------- 		fa11 |    2 | 00:03:6D:01:10:A0 |   192.168.1.77(255.255.255.255)|   Static    | NA
Total Entry: 1

The following table describes the significant fields shown in the example:

Field

Description

Port

Interface number.

VID

Identifier of the VLAN with which the address is associated.

MAC Address

MAC address of the interface.

IP

IP address of the interface.

Type

IP address type. The possible field values are:

  • Dynamic—Indicates that the IP address is dynamically created.

  • Static—Indicates that the IP address is a static IP address.

Lease Time

The amount of time that the IP address is active. IP addresses whose lease times are expired are deleted from the database.

show ip verify source interfaces

To show the IP source guard configuration for specific interfaces, use the show ip verify source interfaces Privileged EXEC mode command.

Syntax

show ip verify source interfaces [interface-id]

Parameters

interface-id—(Optional) An interface ID or a list of interface IDs. The interfaces can be one of these types: Ethernet port or port channel.

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show ip verify source interfaces fa1-10
  Port  |     Status     | Max Entry | Current Entry
--------+----------------+-----------+---------------
    fa1 |       disabled | No Limit  |   1
    fa2 |       disabled | No Limit  |   0
    fa3 |       disabled | No Limit  |   0
    fa4 |       disabled | No Limit  |   0
    fa5 |       disabled | No Limit  |   0
    fa6 |       disabled | No Limit  |   0
    fa7 |       disabled | No Limit  |   0
    fa8 |       disabled | No Limit  |   0
    fa9 |       disabled | No Limit  |   0
   fa10 |       disabled | No Limit  |   0

The following table describes the significant fields shown in the example:

Field

Description

Port

Interface number.

Status

Shows whether IP source guard is enabled or disabled on the interface.

Max Entry

Maximum number of binding entries allowed in the IP source binding database.

Current Entry

Current number of binding entries in the IP source binding database.